[00:08.280 --> 00:14.800]  Hello, it's nice to be here. Thank you for joining this session. I'd like to talk today
[00:14.800 --> 00:21.040]  about a policy approach to resolving cyber security problems in the election process.
[00:21.240 --> 00:27.620]  One thing's for sure, after the coronavirus is no longer dominating the news,
[00:27.620 --> 00:35.380]  election security will come back to center stage, big time. It's not a complicated subject that
[00:35.380 --> 00:41.000]  it is a complicated subject that few people really understand, even election officials.
[00:41.940 --> 00:46.580]  So today, I want to talk about the role that private sector companies play in the voting
[00:46.580 --> 00:53.100]  system, the vulnerabilities associated with their role, and discuss a path forward from the legal
[00:53.100 --> 01:08.320]  and policy perspective. So election security, it's really a private sector problem.
[01:09.170 --> 01:19.340]  Election security, so many aspects of it are performed by private sector companies.
[01:19.340 --> 01:25.600]  There are many avenues for tampering with an election, including changing votes,
[01:25.600 --> 01:29.840]  causing machines to malfunction, altering voter registration records,
[01:29.840 --> 01:35.260]  and disrupting equipment to be used that's used to check in voters.
[01:35.960 --> 01:42.400]  The private sector companies play a large role in these activities, which we call the election
[01:42.400 --> 01:50.300]  process. The voter registration, the checking in, the voting, the polling, the tabulating of the
[01:50.300 --> 01:58.800]  votes, all that is called the election process. And the private sector companies sell the voting
[01:58.800 --> 02:05.960]  machines and program them for most elections. Yes, they program them for each individual election
[02:05.960 --> 02:13.400]  in most jurisdictions. They register voters, they tally votes, and they report votes.
[02:13.400 --> 02:19.680]  And there are vulnerabilities associated with their role that most people don't understand.
[02:20.220 --> 02:25.880]  They think that this is all something controlled by state and local election officials, and it is
[02:25.880 --> 02:36.600]  not. So today I want to talk about a path forward and how to solve this huge complicated problem.
[02:38.090 --> 02:39.200]  There are
[02:41.310 --> 02:49.240]  many avenues for tampering with an election, including changing votes, causing machines
[02:49.240 --> 02:55.620]  to malfunction, altering voter registration records, and disrupting equipment used to check in voters.
[02:57.140 --> 03:04.380]  Let's look at the vulnerabilities in the voting equipment. In 2005, Hari Hirstie performed the
[03:04.380 --> 03:10.520]  famous Hirstie hack and successfully altered votes in a one-step hack that changed both
[03:10.520 --> 03:18.380]  central tabulator results and the voting machine results tape. It was the digital equipment of
[03:18.380 --> 03:25.000]  stuffing the ballot box. The election official who invited Hirstie to check the de-bolt acu-vote
[03:25.000 --> 03:31.520]  optical scan voting machines said he wouldn't have been able to detect the change and would
[03:31.520 --> 03:39.340]  have certified the election. De-bolt is now owned by Dominion Voting Systems. None of the
[03:39.340 --> 03:46.820]  vulnerabilities found by Hirstie were ever fixed. And these same machines are planned for use in 20
[03:46.820 --> 03:55.980]  states in the 2020 election. Think about that. It's 2020 and he discovered this in 2005,
[03:55.980 --> 04:01.980]  15 years later. That's crazy. A later model of the same voting machines with the same
[04:01.980 --> 04:09.060]  vulnerabilities was used in a hotly contested and disputed 2016 election between Stacey Abrams and
[04:09.060 --> 04:18.320]  Brian Kemp in Georgia. So many of these systems that are using these machines are using machines
[04:18.320 --> 04:26.000]  with these vulnerabilities. In recent elections, 99 percent of votes in the U.S. were cast or
[04:26.000 --> 04:34.000]  counted on computers. And many of the core election systems, voter registration databases,
[04:34.000 --> 04:42.820]  election management systems, voting machines, and vote counting systems are using aged computer
[04:42.820 --> 04:49.260]  equipment. The systems employ software that can no longer be updated or patched.
[04:49.260 --> 04:54.520]  They include databases that have known vulnerabilities and they're managed by
[04:54.520 --> 05:01.280]  third-party vendors where supply chain risks exist. This is a big problem.
[05:06.560 --> 05:11.540]  Let's look at the cyber attacks on these private vendors.
[05:12.360 --> 05:22.260]  In 2016, Gresha's military intelligence service penetrated VR systems. VR systems is the vendor
[05:22.860 --> 05:28.360]  that manages and handles all of the programming for the majority of the counties of Florida
[05:29.360 --> 05:33.340]  and it handles all absentee ballots and early voting.
[05:34.300 --> 05:44.400]  We know of this penetration because an NSA contractor, Reality Winner,
[05:44.400 --> 05:52.740]  released a top-secret report about it. And we later found out the FBI briefed election officials
[05:52.740 --> 06:02.440]  in Florida on a very secret basis. It was a year later that election officials around the country
[06:03.080 --> 06:08.280]  realized that Gresha's military intelligence service had been penetrating
[06:09.240 --> 06:16.720]  VR systems and that perhaps their systems might also be vulnerable. In the 2016 elections,
[06:16.720 --> 06:22.960]  electronic voter ID systems in several states went down in certain precincts.
[06:22.960 --> 06:27.160]  Now these are the systems that help identify a voter when they come in to vote.
[06:27.680 --> 06:34.680]  And these technical glitches, they called them, in the machines called hours-long waits
[06:34.680 --> 06:41.960]  for people who had come to the polls to vote. Hours-long waits. Some voters
[06:43.900 --> 06:51.140]  were unable to wait and others could not vote before the polls closed.
[06:52.020 --> 06:58.840]  On election day in 2019, federal officials from law enforcement, homeland security,
[06:58.840 --> 07:05.220]  and the intelligence community issued a joint statement declaring that,
[07:05.220 --> 07:12.040]  our adversaries want to undermine our democratic institutions, influence public sentiment,
[07:12.040 --> 07:19.240]  and affect government policies. Russia, China, Iran, and other foreign malicious actors
[07:19.740 --> 07:26.680]  all will seek to interfere in the voting process or influence voter perceptions.
[07:29.080 --> 07:39.160]  Wow. And it's true. We have a serious problem. We have governments from outside the U.S.
[07:40.000 --> 07:47.900]  trying to influence our democratic processes. And we have voting machines and voter ID systems
[07:48.120 --> 07:57.600]  and private sector companies that have not presented any level of security and assurance
[07:58.080 --> 08:03.940]  that their processes and systems have integrity and are confidential.
[08:08.250 --> 08:21.330]  So we have a U.S. Election Assistance Commission. And this commission is supposed to,
[08:21.330 --> 08:26.450]  but it's perhaps the weakest link in the nation's voting system.
[08:26.450 --> 08:34.690]  The EAC is a bipartisan commission established by Congress in 2002. It maintains a national
[08:34.690 --> 08:42.310]  mail voter registration form. It accredits testing laboratories and certifies voting systems.
[08:42.310 --> 08:47.810]  And it serves as a national clearinghouse of information on election administration.
[08:48.810 --> 08:56.040]  In December 2016, Recorded Future reported that a Russian-speaking hacker named Rasputin
[08:56.470 --> 09:10.370]  was selling access to the EAC systems on the internet. Rasputin had full admin access to
[09:10.370 --> 09:16.890]  the database and could upload any file he wanted. He had lists of voting machinery,
[09:16.890 --> 09:23.890]  test reports of their software, and knew where they were deployed. An EAC employee,
[09:23.890 --> 09:30.150]  whose credentials had been compromised, said if Rasputin had access to the database,
[09:30.150 --> 09:34.310]  he could access the server where the proprietary information is kept.
[09:35.150 --> 09:42.410]  The EAC keeps information about vulnerabilities in voting systems. Thus, a hacker who gets into
[09:42.410 --> 09:50.010]  the EAC could find out where the weak links are in the voting systems all around the country.
[09:59.200 --> 10:05.500]  So let's look at the voting machine companies and what role they have played in this.
[10:06.320 --> 10:15.540]  They have been recalcitrant and arrogant. Researchers and cyber experts have found
[10:15.540 --> 10:21.700]  multiple vulnerabilities in the most used voting machines that would enable an attacker
[10:21.700 --> 10:26.800]  to gain full access to a system, change configurations, and install a modified
[10:26.800 --> 10:35.120]  operating system without election officials knowing. These vulnerabilities can enable
[10:35.120 --> 10:42.300]  hackers to change an election, shut the system down, enable remote execution of code,
[10:42.300 --> 10:49.520]  and offline ballot tampering. There are three primary vendors for voting machines.
[10:49.560 --> 10:57.560]  Electronic systems and software, known as ES&S, Dominion Voting Systems, and Hart InterCivic.
[10:58.140 --> 11:02.560]  We know there are vulnerabilities in most of the voting machines,
[11:03.060 --> 11:10.600]  but very little is known about the security of these companies' own IT systems.
[11:11.200 --> 11:18.700]  The companies that produce these voting machines, that are supposed to maintain them and produce
[11:18.700 --> 11:26.340]  them, and they are the underpinning of the core in our election process. Very little is known
[11:26.340 --> 11:33.320]  about the security of the companies that even manufacture these machines. Some voting machines
[11:33.320 --> 11:41.020]  are optical scanners, some have touchscreen voting, some use QR codes or barcodes,
[11:41.020 --> 11:47.700]  and others send votes in clear text back to vendors to be tallied. They can all be hacked
[11:47.700 --> 11:56.460]  or compromised. If almost all the voting precincts in our clunky system use equipment from these
[11:56.460 --> 12:02.100]  vendors, an attacker only needs to hack the equipment to reach all of the voters.
[12:03.320 --> 12:11.040]  Unlike major technology companies, such as Apple and Microsoft, these vendors do not allow
[12:11.040 --> 12:18.660]  researchers to test their equipment and review their code to find vulnerabilities and bugs.
[12:18.720 --> 12:25.700]  The symbiotic relationship between tech software and hardware vendors and researchers helps them
[12:25.700 --> 12:30.200]  improve their products and keep them secure. But this is not happening
[12:30.860 --> 12:39.460]  when it comes to voting machine manufacturers. They will not let the researchers have access
[12:39.460 --> 12:46.660]  to their equipment. Voting equipment companies have been highly resistant to any review by the
[12:46.660 --> 12:53.680]  research community, claiming their systems are safe and secure. Yet they have failed to fix
[12:53.680 --> 13:01.500]  identified vulnerabilities in the voting equipment. They repeatedly claim everything
[13:01.500 --> 13:07.500]  is fine, we're all secure, this is a priority, we take this seriously, America's voting is just
[13:07.500 --> 13:15.660]  our basic concern, and they don't fix vulnerabilities that researchers have found
[13:15.660 --> 13:25.900]  for 15 years. They let their voting machines be out front and used for voting knowing they
[13:25.900 --> 13:31.640]  have vulnerabilities in them. I guess they think no one's going to exploit them.
[13:32.060 --> 13:38.480]  But really, to cover that up and try to say they're all safe and sound, that's just wrong.
[13:41.310 --> 13:46.150]  So during the three years of the voting village's existence, I think most of you are familiar with
[13:46.150 --> 13:52.150]  voting village, none of the vendors have supported the effort, nor have they been willing
[13:52.150 --> 14:02.850]  to donate or offer equipment. While the researchers in the voting village, they're dedicated to this
[14:02.850 --> 14:09.830]  because one, they want to help develop a community of cybersecurity experts in election security.
[14:09.830 --> 14:14.770]  There are not very many experts out there who know how to
[14:15.610 --> 14:21.430]  deal with election voting machines and cybersecurity problems and how to solve
[14:21.430 --> 14:28.290]  those vulnerabilities. And they also want to make the voting machines and equipment more
[14:28.290 --> 14:37.210]  secure by letting these vulnerabilities be known. The problem is the vendors are doing nothing about
[14:37.210 --> 14:46.430]  it. And apparently the election officials also are not requiring them to fix these vulnerabilities
[14:46.430 --> 14:55.690]  before they have another election. So that's a big problem. So I want to put forth a proposal
[14:56.470 --> 15:03.030]  to address this problem and achieve results. Certain actions can be taken at the federal level
[15:03.700 --> 15:08.310]  that will push a standardized approach out to state and local election officials
[15:09.220 --> 15:17.670]  and will require certain actions to be taken by private sector companies.
[15:19.170 --> 15:26.490]  Article 1, section 4 of the U.S. Constitution grants Congress the power to regulate the times,
[15:26.490 --> 15:34.470]  places, and manner of holding federal elections. Federal elections deal with elections of senators,
[15:34.470 --> 15:41.030]  representatives, and the president. Now state and local election officials are responsible for
[15:41.030 --> 15:47.590]  conducting all elections, but they depend on infusions of federal funding to supplement
[15:47.590 --> 15:54.530]  their state and local funding. So state and local officials can't really afford to have
[15:54.530 --> 15:59.570]  separate equipment and systems, one for state elections and one for federal elections.
[15:59.630 --> 16:06.830]  So when federal election officials or federal election Congress mandates certain requirements
[16:06.830 --> 16:12.490]  for federal elections, they pretty much have to go along with those because they only have one
[16:12.490 --> 16:20.770]  system for voting. So therefore, if Congress sets requirements for federal elections
[16:21.270 --> 16:26.930]  and restricts the funding that these state and local election officials need
[16:27.630 --> 16:35.630]  to only those election agencies that adhere to federal requirements, we will begin to see
[16:35.630 --> 16:44.430]  consistent actions taken across the U.S. that will tighten cybersecurity in the election process.
[16:45.610 --> 16:56.330]  So this proposal that I want to go over with you today is such a proposal to have
[16:57.650 --> 17:05.310]  federal requirements set by Congress. The first would be to direct NIST, the National Institute
[17:05.310 --> 17:14.210]  of Standards and Technology, to establish federal standards for cybersecurity. NIST is
[17:14.510 --> 17:20.170]  the entity in the government that has established all the federal information processing standards.
[17:20.170 --> 17:26.370]  It's established all of the cybersecurity best practices and standards that have been put forth
[17:26.370 --> 17:34.750]  by NIST that federal agencies have to adhere to and certain federal contractors. So they have a
[17:34.750 --> 17:42.810]  deep bench of expertise in not only standards and cybersecurity but in secure engineering practices.
[17:43.200 --> 17:50.090]  And it would be appropriate to direct them to develop federal standards for cybersecurity of
[17:50.090 --> 17:59.710]  our election system software, the infrastructure, and the hardware. All three levels that are used
[17:59.710 --> 18:09.010]  in voter registration, vote tallying, voter polling, and in the manufacturing, servicing,
[18:09.010 --> 18:13.250]  or writing of election parameters of voting machines and equipment.
[18:15.530 --> 18:22.070]  The first covers the systems, the infrastructure, the hardware, the software, the hardware,
[18:22.070 --> 18:28.010]  the network that they're using. What are the standards for that? Because that is used in
[18:28.010 --> 18:34.590]  registration, in tallying, in voter polling. Again, this isn't just one thing of one machine
[18:34.590 --> 18:40.670]  and go to the vote, the poll and vote. This is registering to vote. It's signing in and being
[18:40.670 --> 18:49.130]  ID'd. It is voting. It's tallying the votes. It's polling the votes, the voters, and it's reporting
[18:49.130 --> 18:57.810]  the votes. All of these actions are largely performed by private sector companies who we
[18:57.810 --> 19:05.610]  don't have any idea how their cybersecurity program is, whether it's mature or not.
[19:06.230 --> 19:12.930]  We suspect it's not very mature, but that's just a suspicion. But we should have a standard for
[19:12.930 --> 19:18.630]  saying it must meet these standards. Our democracy depends on it. That's worth a standard.
[19:19.730 --> 19:25.250]  And then we have in the manufacturing, the servicing of voting machines and equipment.
[19:25.250 --> 19:32.010]  Absolutely. We want these vulnerabilities fixed. They need to be serviced and maintained and have
[19:32.010 --> 19:37.350]  integrity. The writing of election parameters means the programming of these machines.
[19:37.350 --> 19:44.450]  In most of the jurisdictions, the private sector companies program these machines for
[19:44.450 --> 19:51.510]  every single election. We need standards to govern how that's done. Second is we should
[19:51.510 --> 19:59.770]  direct NIST to establish a certification process for the security and integrity of election systems,
[19:59.770 --> 20:05.930]  software, infrastructure, and hardware, and associated components and modules of the election
[20:05.930 --> 20:13.230]  process. So there should be a certification process to make sure they're meeting the standards.
[20:13.610 --> 20:19.190]  Next, we should direct NIST to analyze the private sector's role in the election process
[20:19.630 --> 20:25.370]  and recommend any roles or functions that should be changed or restricted to public sector
[20:25.370 --> 20:33.190]  election officials. There are some roles being undertaken by private sector companies that
[20:33.190 --> 20:42.990]  perhaps should not be a private sector activity. Perhaps that role should be strictly a governmental
[20:42.990 --> 20:50.650]  function. But let's NIST analyze that in all of their work in establishing the federal standards
[20:50.650 --> 20:58.850]  in the certification process and recommend to Congress roles that should be perhaps reserved
[20:58.850 --> 21:08.950]  to the public sector. Next, we want Congress to pass a law restricting federal funding
[21:09.910 --> 21:15.170]  to election jurisdictions to only those jurisdictions that one
[21:15.830 --> 21:22.570]  use such funding in a manner consistent with the NIST federal election standards.
[21:23.150 --> 21:29.890]  And those jurisdictions that require annual cybersecurity assessments by an independent
[21:29.890 --> 21:35.910]  third party of all the systems in the election process in accordance with the standards
[21:37.450 --> 21:44.390]  that require annual cybersecurity assessments by a third party of all private sector companies
[21:44.390 --> 21:49.870]  involved in the election process in accordance with the NIST standards. And to make these
[21:49.870 --> 21:55.670]  assessments available to election officials contracting with them. A company may get a
[21:55.670 --> 22:02.590]  cybersecurity assessment but it may not share it. We want them, we want these vendors to have to get
[22:02.590 --> 22:11.050]  third-party assessments every year and share those assessments with the election officials
[22:11.050 --> 22:16.230]  contracting with them. And we want the election officials to get third-party assessments of
[22:16.230 --> 22:24.170]  their systems in accordance with the NIST standards. This is what private businesses do
[22:25.010 --> 22:29.450]  every day. That's what's required of them. This is not asking too much
[22:30.110 --> 22:33.950]  of election officials or private sector vendors that support the democracy that
[22:33.950 --> 22:40.910]  this country has been built on. We also want federal funding restricted to those jurisdictions
[22:40.910 --> 22:47.510]  that establish requirements for post-election auditing of votes, at least on the level of
[22:47.510 --> 22:55.190]  risk-limiting audits and to make the findings public. So restricting federal funding to only
[22:55.190 --> 23:00.750]  those jurisdictions that comply with the NIST standards, that conduct the risk assessments
[23:00.750 --> 23:06.930]  themselves, that make their vendors get the assessments, and that have post-election auditing.
[23:06.970 --> 23:15.390]  There's a precedent for this. Congress has passed laws in the past to restrict highway funds
[23:15.390 --> 23:20.230]  to only those jurisdictions that lower the speed limit to 55 miles an hour.
[23:21.190 --> 23:28.170]  Congress has restricted funds to only go to those school districts that would adjust their
[23:28.170 --> 23:36.360]  cafeteria menus to comply with the new recommended federal menu. There are numerous other examples,
[23:37.050 --> 23:45.470]  but the Congress has in the past, in several instances, tied its federal funding to meeting
[23:45.470 --> 23:52.130]  certain requirements. There's nothing more important than having our federal funding tied
[23:52.130 --> 23:58.610]  to meeting the requirements that our vote counts, that every vote should be counted and it should
[23:58.610 --> 24:07.370]  be counted as cast. The American Bar Association, which represents over 400,000 attorneys, recently
[24:07.370 --> 24:17.850]  adopted Resolution 118, which calls for these exact measures. Cybersecurity best practices and
[24:17.850 --> 24:23.850]  standards can help, because election security is not going to get solved overnight. But standing
[24:23.850 --> 24:31.370]  up a cybersecurity program for election systems that's in compliance with cybersecurity best
[24:31.370 --> 24:38.710]  practices and standards will be a first big step. Congress may not pass a law right away,
[24:38.710 --> 24:44.750]  but election officials should already be doing this. They should already be saying,
[24:44.750 --> 24:50.150]  we have NIST standards for cybersecurity programs. There are ISO standards. There's
[24:50.150 --> 24:54.990]  multiple standards out there for cybersecurity programs, and every single vendor should be
[24:54.990 --> 25:00.190]  adhering to those. They're not only using equipment with vulnerabilities, their own
[25:00.190 --> 25:06.370]  networks and systems are vulnerable as well. So it's time election officials step up and take
[25:06.370 --> 25:13.070]  action, even before Congress does. They should require, election officials should require election
[25:13.070 --> 25:18.630]  vendors to meet cybersecurity standards and best practices, conduct annual risk assessments of
[25:18.630 --> 25:25.610]  their program's maturity, and do what every other business would do, manage its risk.
[25:25.610 --> 25:30.810]  In addition, they need to follow the lead of California and other jurisdictions and hire
[25:30.810 --> 25:36.650]  experts to test the security of their voting machines and equipment, and then demand that
[25:36.650 --> 25:43.990]  vendors close any vulnerabilities found. Why are these officials letting machines with vulnerabilities
[25:43.990 --> 25:50.550]  that have been known for 15 years be used in their jurisdictions? That's crazy. They need to demand
[25:50.550 --> 25:57.330]  these vulnerabilities be fixed, and they need to join with each other nationally and ensure that
[25:57.330 --> 26:04.410]  that those machines are not used in elections. So legislation and other reforms are needed, but
[26:04.410 --> 26:09.850]  election officials can achieve these things through their own direction and in legal agreements with
[26:09.850 --> 26:16.700]  their election vendors, and they should begin now and do as much as possible before November.
[26:17.560 --> 26:19.120]  Thank you very much.
